Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 2 subscribers
  • Views 1398 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall Logs

StephenWeber
Does anyone know if I can pull or find the full NAT translation from the UTM?  The firewall log only seems to have the Firewall's IP and the destination.  But that doesn't help me find the Internal IP that was using that port to go to that IP Address.


2013:09:07-15:31:22 Client-1 ulogd[4568]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="0:22:2d:92:a[:D]7" dstmac="0:1a:8c:32:67[:D]9" srcip="204.83.171.40" dstip="67.78.195.194" proto="6" length="40" tos="0x00" prec="0x20" ttl="106" srcport="3389" dstport="1425" tcpflags="RST"


This thread was automatically locked due to age.
  • 0
    That looks to me like an RDP "response" packet from 204.83.171.40 arriving at their External interface (eth1) and being default-dropped out of the INPUT chain (60001).  Is there any reason that someone in Saskatchewan would be trying to get into their network?

    Oops! - too many balls in the air!  See Barry's comment below, and note that

    Cheers - Bob
  • 0
    Hi, I think it's a reset on an established RDP connection; 204.83.171.40 looks like the RDP server... note the source port is the RDP port.

    Barry
  • 0
    You're right, thanks, Barry.  I was going too fast.  If there's no complaint from the users about interrupted RDP sessions, then it's nothing to worry about.

    Cheers - Bob